I-Worm.Swen

18 Sep 2003
Virus News


Kaspersky Lab, a leading information security expert, announces the detection of the network worm, I-Worm.Swen. This malicious program spreads via email, the Kazaa file sharing network and IRC channels. Infected messages appear to have been sent from various Microsoft services, including, MS Technical Assistance, Microsoft Internet Security Section, etc. Message text advises users to install a "special patch" from Microsoft. The "patch" is included as an attachment. Sven uses the same vulnerability in the Internet Explorer detected in March 2001 that was used by many other well-known worms, such as Klez. Thus, once Swen breaks into an undefended machine it executes itself independently of the owner. The new malware program is written in Microsoft Visual C++ and is about 107 KB. The worm is activated in two cases: if the infected file is executed or when the email program contains the IFrame.FileDownload vulnerability. The worm then installs itself into the system and initiates propogation procedures. When the attachment is opened the first time, a window named Microsoft Internet Update Pack appears on the screen and imitates the installation of a patch. At the same time, the malicious code blocks all firewalls and anti-virus software. Then Swen scans the file system of the infected computer and extracts all email addresses, using them to mail itself to all available addresses via a direct connection to an SMTP server. The infected letters are in HTML and include an attachment containing Swen. In some cases, the worm can send copies of itself in .zip of .rar form. Swen propagates via the Kazaa file-sharing network by copying itself under random names in the file exchange directory in Kazaa Lite. It also creates a subdirectory in the Windows Temp folder with randomly generated file names making several copies of itself with random names as well. This directory then is then identified in the Windows system registry as the source for the file sharing system and as a result, the new files created by Swen become available to other Kazaa network users. Finally, for spreading via IRC, the worm scans for installed mIRC clients. If these are detected then Swen modifies the script.ini file by adding its propagation procedures. Whereupon the script.ini file sends infected files from the Windows directory, to all users that connect to the now-infected IRC channel Kaspersky Lab experts currently attribute over 30,000 computer infections worldwide to I-Worm.Swen. The number of infections continues to rise. The defence against I-Worm.Swen has already been added to the Kaspersky® Labs anti-virus database. Click here to view the I-Worm.Swen description in the Kaspersky Virus Encyclopedia.